Practical Hardware Pentesting E-Book

Practical Hardware Pentesting

A guide to attacking embedded systems and protecting them against the most common hardware attacks

Jean-Georges Valle

BIRMINGHAM—MUMBAI

Practical Hardware Pentesting

Copyright © 2021 Packt Publishing

All rights reserved. No part of this book may be reproduced, stored in a retrieval system, or transmitted in any form or by any means, without the prior written permission of the publisher, except in the case of brief quotations embedded in critical articles or reviews.

Every effort has been made in the preparation of this book to ensure the accuracy of the information presented. However, the information contained in this book is sold without warranty, either express or implied. Neither the author, nor Packt Publishing or its dealers and distributors, will be held liable for any damages caused or alleged to have been caused directly or indirectly by this book.

Packt Publishing has endeavored to provide trademark information about all of the companies and products mentioned in this book by the appropriate use of capitals. However, Packt Publishing cannot guarantee the accuracy of this information.

Group Product Manager: Wilson D'souza

Publishing Product Manager: Rahul Nair

Senior Editor: Arun Nadar

Content Development Editor: Romy Dias

Technical Editor: Nithik Cheruvakodan

Copy Editor: Safis Editing

Project Coordinator: Neil D'mello

Proofreader: Safis Editing

Indexer: Manju Arasan

Production Designer: Nilesh Mohite

First published: March 2021

Production reference: 1040321

Published by Packt Publishing Ltd.

Livery Place

35 Livery Street

Birmingham

B3 2PB, UK.

ISBN 978-1-78961-913-3

www.packt.com

To my father. I wouldn't be who I am without you.

Contributors

About the author

Jean-Georges Valle is a hardware penetration tester based in Belgium. His background was in software security, with hardware being a hobby, and he then started to look into the security aspects of hardware. He has spent the last decade testing various systems, from industrial logic controllers to city-scale IoT, and from media distribution to power metering. He has learned to attack embedded systems and to leverage them against cloud-scale infrastructure. He is the lead hardware technical expert in an offensive security team of a big four company.

Jean-Georges holds a master's degree in information security and focuses on security at the point of intersection with hardware and software, hardware and software interaction, exploit development in embedded systems, and open source hardware.

I wish to thank my parents for supporting me and loving me unconditionally, Vito and Jon for giving me an opportunity when I needed it, and Ieva for accepting that this book was competing with her for my time and attention.

About the reviewers

Ryan Slaugh has been a maker and breaker of things for over 20 years. Ryan got his start in electrical systems, and augmented his learning to include the analog, digital, embedded, software, and cybersecurity fields. He continues to practice and add to his skill sets in his home lab, and this allows him to do what he loves the most: solve problems with technology. When not working with technology, Ryan enjoys traveling around the globe and exploring the less inhabited areas of the Pacific Northwest. His greatest joy is being with his family on their small hobby farm in Washington State, USA.

Neeraj Thakur is a manager in the risk advisory practice of Deloitte and comes with more than 9 years' experience in the area of information and cybersecurity. He holds a master's degree in cybersecurity from the Indian Institute of Information Technology, Allahabad, and has extensive experience in penetration and security testing of various embedded devices and IoT-enabled products. He is a certified ISA/IEC 62443 cybersecurity fundamentals specialist and has worked extensively in the areas of industrial automation and control system security. He has delivered multiple sessions on IoT and ICS security, as well as in the security community, including Nullcon and CySeck. Neeraj is passionate about reverse engineering and security innovations using Python.

Table of Contents

Preface

Section 1: Getting to Know the Hardware

Chapter 1: Setting Up Your Pentesting Lab and Ensuring Lab Safety

Prerequisites – the basics you will need

Languages

Hardware-related skills

System configuration

Setting up a general lab

Safety

Approach to buying test equipment

Home lab versus company lab

Approaching instrument selection

What to buy, what it does, and when to buy it

Small tools and equipment

Renting versus buying

The component pantry

The pantry itself

The stock

Sample labs

Beginner

Amateur

Pro

Summary

Questions

Chapter 2: Understanding Your Target

The CPU block

CPU roles

Common embedded systems architectures

The storage block

RAM

Program storage

Storing data

The power block

The power block from a pentesting point of view

The networking blocks

Common networking protocols in embedded systems

The sensor blocks

Analog sensors

Digital sensors

The actuator blocks

The interface blocks

Summary

Questions

Further reading

Chapter 3: Identifying the Components of Your Target

Technical requirements

Harvesting information – reading the manual

Taking a system analysis approach

For our Furby manual

Harvesting information — researching on the internet

For the Furby

Starting the system diagram

For our Furby

Continuing system exploration – identifying and putting components in the diagram

Opening the Furby

Manipulating the system

Dismantling the Furby

Identifying chips

Chips in the Furby

Identifying unmarked/mysterious chips

Furby — the mystery meat

The borders of functional blocks

Summary

Questions

Chapter 4: Approaching and Planning the Test

The STRIDE methodology

Finding the crown jewels in the assessed system

Security properties – what do we expect?

Communication

Maintenance

System integrity and self-testing

Protection of secrets or security elements

Reaching the crown jewels – how do we create impacts?

STRIDE through the components to compromise properties

For the example system – the Furby

Planning the test

Balancing your scenarios

Summary

Questions

Further reading

Section 2: Attacking the Hardware

Chapter 5: Our Main Attack Platform

Technical requirements

Introduction to the bluepill board

A board to do what?

What is it?

Why C and not Arduino?

The documentation

Memory-projected registers

The toolchain

The compilation process

Driving the compilation

Flashing the chip

Putting it into practice for the bluepill

Introduction to C

Operators

Types

The dreaded pointer

Preprocessor directives

Functions

Summary

Questions

Further reading

Chapter 6: Sniffing and Attacking the Most Common Protocols

Technical requirements

Hardware

Understanding I2C

Mode of operation

Sniffing I2C

Injecting I2C

I2C man in the middle

Understanding SPI

Mode of operation

Sniffing SPI

Injecting SPI

SPI – man in the middle

Understanding UART

Mode of operation

Sniffing UART

Injecting UART

UART – man in the middle

Understanding D1W

Mode of operation

Sniffing D1W

Injecting D1W

D1W – man in the middle

Summary

Questions

Chapter 7: Extracting and Manipulating Onboard Storage

Technical requirements

Finding the data

EEPROMs

EMMC and NAND/NOR Flash

Hard drives, SSDs, and other storage mediums

Extracting the data

On-chip firmware

Onboard storage – specific interfaces

Onboard storage – common interfaces

Understanding unknown storage structures

Unknown storage formats

Well-known storage formats

Let's look for storage in our Furby

Mounting filesystems

Repacking

Summary

Questions

Further reading

Chapter 8: Attacking Wi-Fi, Bluetooth, and BLE

Technical requirements

Basics of networking

Networking in embedded systems using Wi-Fi

Selecting Wi-Fi hardware

Creating our access point

Creating the access point and the basic network services

Networking in embedded systems using Bluetooth

Bluetooth basics

Discovering Bluetooth

Native Linux Bluetooth tools – looking into the joystick crash

Sniffing the BT activity on your host

Sniffing raw BT

BLE

Summary

Questions

Chapter 9: Software-Defined Radio Attacks

Technical requirements

Introduction to arbitrary radio/SDR

Understanding and selecting the hardware

Looking into a radio device

Receiving the signal – a look at antennas

Looking into the radio spectrum

Finding back the data

Identifying modulations – a didactic example

AM/ASK

FM/FSK

PM/PSK

MSK

Getting back to our signal

Demodulating the signal

Clock Recovery MM

WPCR

Sending it back

Summary

Questions

Section 3: Attacking the Software

Chapter 10: Accessing the Debug Interfaces

Technical requirements

Debugging/programming protocols – What are they and what are they used for?

Legitimate usage

Using JTAG to attack a system

Finding the pins

The PCB "plays nicely"

A bit harder

Very hard – JTAGulating

Using OpenOCD

Installing OpenOCD

The adapter file

The target file

Practical case

Summary

Questions

Chapter 11: Static Reverse Engineering and Analysis

Technical requirements

Executable formats

Understanding operating system formats

Dump formats and memory images

Dump structure – the bluepill as an example

Analyzing firmware – introduction to Ghidra

Getting to know Ghidra with a very simple ARM Linux executable

Going into second gear – Ghidra on raw binaries for the STM32

First identification pass

Reversing our target function

Summary

Questions

Chapter 12: Dynamic Reverse Engineering

Technical requirements

What is dynamic reverse engineering and why do it?

Leveraging OpenOCD and GDB

GDB? But... I know nothing about it!

Understanding ARM assembly – a primer

General information and syntax

Exploring the most useful ARM instructions

Using dynamic reverse engineering – an example

First Ghidra inspection

Reversing the expected password

Of course, I aced the test

Summary

Questions

Chapter 13: Scoring and Reporting Your Vulnerabilities

Scoring your vulnerabilities

Being understandable to everyone

Building your report template

Usage of language in a report

Report quality

When engineers do not want to re-engineer

Summary

Questions

Chapter 14: Wrapping It Up – Mitigations and Good Practices

Industry good practices – what are they and where to find them

OWASP IoT top 10

The CIS benchmarks

NIST hardware security guidelines

Common problems and their mitigations

Establishing a trust relationship between the backend and a device

Storing secrets and confidential data

Cryptographic applications in sensitive applications

JTAG, bootloaders, and serial/UART interfaces

What about now? Self-teaching and your first project

Closing words

Assessments

Chapter 1

Chapter 2

Chapter 3

Chapter 4

Chapter 5

Chapter 6

Chapter 7

Chapter 8

Chapter 9

Chapter 10

Chapter 11

Chapter 12

Chapter 13

Other Books You May Enjoy

Section 1: Getting to Know the Hardware

After reading this section, you will know how to set up an assessment lab, understand the global architecture of an embedded system, know how to identify the different components, and understand how they act together in order to make the system run. Once you are able to understand all aspects of how a system works, you will be able to follow a risk modeling methodology to plan your tests according to the threats against the target system.

This section comprises the following chapters: